mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-07-02 20:32:58 +00:00
Fixes 13 correctness issues flagged in the second Codex review pass on the
feat/mcp-apps-support branch.
Core server-side changes: resource URI and model-only-tool caches are now
scoped per user/server key so OAuth and user-sourced servers with differing
tool lists cannot cross-contaminate each other. The model-only visibility check
in appToolCall now blocks iframe-initiated calls to tools declared as
visibility: ['model']. appToolCall also runs processMCPEnv to resolve runtime
env/user vars and set request headers before forwarding to tools/call, and
throws for servers that require per-call OBO token minting (unsupported in this
path). parsers.ts now includes structuredContent in the synthetic resourceId
hash to guarantee uniqueness across repeated same-app calls with different
results, skips the early-return guard when a synthetic app resource is present,
appends the ui{} marker to the synthetic text block, and forwards the raw
content array alongside structuredContent so text/image-only app results are
not silently dropped.
Client-side changes: fetchMCPResourceHtml now returns the full _meta.ui from
the resources/read content item so CSP and permissions come from the canonical
location in the spec rather than the tool descriptor. useAppBridge falls back
to the resource-level values when the read result carries no overrides.
The sandbox retry interval clears when sandbox-resource-ready arrives, fixing
the race where the ready notification arrived before the transport was
connected. The size-change handler in MCPUIResource and UIResourceCarousel now
applies the reported height to the wrapper element, and MCPUIResource's iframe
style uses height: 100% so inline apps are not clipped. The carousel loading
placeholder now uses the localized key. Dockerfile.multi copies the sandbox
from client/dist (the Vite output) rather than the source tree, which is the
only path present in the multi-stage runtime image. baseUriDomains from the
CSP config are now honoured in buildCspPolicy instead of always emitting
base-uri 'self'. serverResources was removed from the AppBridge capabilities
advertisement because no resource handlers are registered on the bridge.
|
||
|---|---|---|
| .. | ||
| __tests__ | ||
| agents.tsx | ||
| artifacts.ts | ||
| buildDefaultConvo.ts | ||
| buildTree.ts | ||
| citations.ts | ||
| cleanupPreset.ts | ||
| cn.ts | ||
| collection.ts | ||
| configHtml.ts | ||
| conversation.ts | ||
| conversationTags.spec.ts | ||
| conversationTags.ts | ||
| convos.fakeData.ts | ||
| convos.spec.ts | ||
| convos.ts | ||
| createChatSearchParams.spec.ts | ||
| createChatSearchParams.ts | ||
| downloadFile.ts | ||
| drafts.ts | ||
| email.ts | ||
| endpoints.spec.ts | ||
| endpoints.ts | ||
| errors.ts | ||
| favoritesError.ts | ||
| files.ts | ||
| forms.tsx | ||
| getDefaultEndpoint.ts | ||
| getLoginError.ts | ||
| getThemeFromEnv.js | ||
| groupToolCalls.ts | ||
| heicConverter.spec.ts | ||
| heicConverter.ts | ||
| icons.ts | ||
| imageResize.ts | ||
| index.ts | ||
| json.ts | ||
| languages.ts | ||
| latex.spec.ts | ||
| latex.ts | ||
| localStorage.ts | ||
| logger.ts | ||
| map.ts | ||
| markdown.ts | ||
| mcpApps.ts | ||
| memory.ts | ||
| mermaid.ts | ||
| messages.ts | ||
| presets.ts | ||
| previewCache.ts | ||
| promptGroups.ts | ||
| prompts.ts | ||
| redirect.ts | ||
| resetConvo.ts | ||
| resources.ts | ||
| roles.ts | ||
| routes.ts | ||
| scaleImage.ts | ||
| share.ts | ||
| subagentContent.ts | ||
| textarea.ts | ||
| tilde.spec.ts | ||
| tilde.ts | ||
| timestamps.ts | ||
| tokens.spec.ts | ||
| tokens.ts | ||
| toolLabels.ts | ||